| title | Authorization actions and attributes |
|---|---|
| description | Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) in authorization |
| author | rolyon |
| manager | pmwongera |
| ms.service | role-based-access-control |
| ms.subservice | conditions |
| ms.topic | reference |
| ms.date | 03/30/2026 |
| ms.author | rolyon |
This section lists the supported authorization actions you can target for conditions.
Target this action to control permissions for creating or updating role assignments. This action applies to both adding new role assignments and updating existing role assignments.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Create or update role assignments Description Control plane action for creating role assignments Action Microsoft.Authorization/roleAssignments/writeResource attributes Request attributes Role definition ID
Principal ID
Principal typeExamples !(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})
Example: Constrain roles
Target this action to control permissions for deleting role assignments. This action applies to removing existing role assignments.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Delete a role assignment Description Control plane action for deleting role assignments Action Microsoft.Authorization/roleAssignments/deleteResource attributes Role definition ID
Principal ID
Principal typeRequest attributes Examples !(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})
Example: Constrain roles
This section lists the authorization attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Role definition ID Description The role definition ID used in the role assignment Attribute Microsoft.Authorization/roleAssignments:RoleDefinitionIdAttribute source Request
ResourceAttribute type GUID Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEqualsExamples @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7}
Example: Constrain roles
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Principal ID Description The principal ID assigned to the role. This maps to the ID inside the Active Directory. It can point to a user, service principal, or security group Attribute Microsoft.Authorization/roleAssignments:PrincipalIdAttribute source Request
ResourceAttribute type GUID Operators GuidEquals
GuidNotEquals
ForAnyOfAnyValues:GuidEquals
ForAnyOfAllValues:GuidNotEqualsExamples @Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0}
Example: Constrain roles and specific groups
[!div class="mx-tdCol2BreakAll"]
Property Value Display name Principal type Description Principal type represents a user, group, service principal, or managed identity that is requesting access to Azure resources. You can assign a role to any of these security principals Attribute Microsoft.Authorization/roleAssignments:PrincipalTypeAttribute source Request
ResourceAttribute type STRING Values User
ServicePrincipal
GroupOperators StringEqualsIgnoreCase
StringNotEqualsIgnoreCase
ForAnyOfAnyValues:StringEqualsIgnoreCase
ForAnyOfAllValues:StringNotEqualsIgnoreCaseExamples @Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'}
Example: Constrain roles and principal types